diff --git a/pkg/setup/initialize.go b/pkg/setup/initialize.go
index f0ba749f6c..a77babc5c9 100644
--- a/pkg/setup/initialize.go
+++ b/pkg/setup/initialize.go
@@ -3,6 +3,7 @@ package setup
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 	"time"
 
@@ -138,6 +139,17 @@ func GenerateK8sCerts(ctx context.Context, currentNamespaceClient kubernetes.Int
 		"*." + etcdService + "-headless" + "." + currentNamespace,
 	}
 
+	//expect up to 20 etcd members, number could be lower since more
+	//than 5 is generally a bad idea
+	for i := 0; i < 20; i++ {
+		// this is for embedded etcd
+		hostname := vClusterName + "-" + strconv.Itoa(i)
+		etcdSans = append(etcdSans, hostname, hostname+"."+vClusterName+"-headless", hostname+"."+vClusterName+"-headless"+"."+currentNamespace)
+		// this is for external etcd
+		etcdHostname := etcdService + "-" + strconv.Itoa(i)
+		etcdSans = append(etcdSans, etcdHostname, etcdHostname+"."+etcdService+"-headless", etcdHostname+"."+etcdService+"-headless"+"."+currentNamespace)
+	}
+
 	// generate certificates
 	err := certs.EnsureCerts(ctx, serviceCIDR, currentNamespace, currentNamespaceClient, vClusterName, certificatesDir, clusterDomain, etcdSans)
 	if err != nil {